LDAP query in an ASP page 4

[spaulding]

I'm trying to write an ASP page that will return a list of Active Directory User accounts that are disabled. I've written several ASP pages and am reasonably comfortable with that, but I've yet to use LDAP in the query. Below is the script I've started to put together. Part of it is from Microsoft TechNet and part is from a thread on this forum. Unfortunately, it doesn't work and returns the following error:
Provider error '80040e14'

One or more errors occurred during processing of command.

The message refers to line 13 which is the command.execute line. I figure this means my command.text line is out of whack, but I don't know enough about the syntax to figure it out.

I'd appreciate any help I can get.



<%@language=vbscript%>
<%
Const ADS_UF_ACCOUNTDISABLE = 2

Set objConnection = CreateObject(&quot;ADODB.Connection&quot
objConnection.Provider=&quot;ADsDSOObject&quot;

objConnection.Open &quot;Active Directory Provider&quot;
Set objCommand = CreateObject(&quot;ADODB.Command&quot
objCommand.ActiveConnection = objConnection
objCommand.CommandText = &quot;select distinguishedName, userAccountControl from 'LDAP://DC=FISD, DC=org' where objectCategory=User&quot;
Set objRecordset = Server.CreateObject(&quot;ADODB.Recordset&quot
Set objRecordSet = objCommand.Execute

intCounter = 0
While Not objRecordset.EOF
intUAC=objRecordset.Fields(&quot;userAccountControl&quot
If intUAC And ADS_UF_ACCOUNTDISABLE Then
response.write objRecordset.Fields(&quot;distinguishedName&quot & &quot; is disabled.&quot;
intCounter = intCounter + 1
End If
objRecordset.MoveNext
Wend

response.write &quot;A total of &quot; & intCounter & &quot; accounts are disabled.&quot;

objConnection.Close

%>

 

[zcolton]

The error you are receiving is from a security issue.
Remove the hard-coded username and password from the ASP.
In IIS, on the directory with this ASP, disable all security access except anonymous. Change the anonymous account used for that directory from the normal IIS anonymous account (IUSR_machinename) to a domain account (DOMAIN\username) with the password. Uncheck "Allow IIS to control password". The domain account needs to beable to read items in the active directory. I believe any domain account in the default user group ("Domain Users") has that access unless you have made custom changes to active directory security. It may also help to apply application setting for that directory. On the "Directory" tab under "Application Setting" select create. Execute permissions would be scripts only and appliction protection would be medium. These setting are not required, buit have helped out a few people.
Note: The account used for anonymous access will need access to the directory. Make sure that you check the ACLS for the folder and files containd within.
Note: Searching the global catalog (GC://) is faster then searching ldap (LDAP://) You will need to do some testing to make sure that all of the info you will need to retrieve is available in the global catalog. M$ has a few knowledgebase articles explaining how to see which active directory fields are also sycronized to the gc - plus ways to add fields if you them included.
--- 99% of the time when connections to remote resources are done from IIS, security settings/configurations cause the most problems.

-zcolton

 

[zcolton]

For more info check out this thread:
It's title:
Example of ASP LDAP query string?

http://www.tek-tips.com/viewthread.cfm?SQID=356151&SPID=774&page=1

 

[spaulding]

Well, I stepped back and took another look at the problem and think I found the answer. I wanted to be able to delegate several important but menial administrative duties to other, non-administrator, users. What I ended up doing, is reworking my Active Directory OUs to include an additional sublayer of OUs with specific group policies applied to them (e.g. a no-Internet OU with a GPO that points to a non-existent proxy server etc.). Then I made the people I wanted to give the administrative duties account operators. Next I wrote two scripts. One to display a list of users in each sub-OU complete with a checkbox and submit button. This called the second script which uses the MoveHere method to move the checked users from one sub-OU to the other thereby changing the policy. On my IIS server, I set the authentication method for these scripts to basic (it's an Intranet so clear text is a little less of a problem). Finally, I put the scripts in folders on my IIS server with access permissions for only the specified users.

I just got this working, so now we're testing this, but can anyone see any obvious flaws?

Scripts
moveuser.asp script
<%
On Error Resume Next

Set RootDse=GetObject ("LDAP://RootDse")

Path="LDAP://" & RootDse.get("DefaultNamingContext")




Response.write "HS-Students:<br>"
Set ou=GetObject("LDAP://OU=AllStudents,OU=HS-Users,OU=High School,OU=Campuses,DC=FISD,DC=org")
count=0
response.write "<form method='post' action='moveuser_execute.asp'>"
For Each obj In ou

count=count+1
response.write count & " <INput type='checkbox' name='users' value='" & obj.Name & "'>" & obj.FullName & "<br>"

Next
response.write "<input type='submit' value='Enable accounts'></form>"
%>

moveusers_execute.asp

<%Option Explicit%>

<%

Dim userid 'individual user cn
Dim srccontainer 'source OU distinguished name
Dim dcon 'destination container object
Dim ldapdst 'LDAP destination string
Dim ldapuser 'LDAP user string
Dim rootdse
Dim path

Set RootDse=GetObject ("LDAP://RootDse")

Path="LDAP://" & RootDse.get("DefaultNamingContext")


srccontainer="OU=AllStudents,OU=HS-Users,OU=High School,OU=Campuses,DC=FISD,DC=org"



For Each userid In request.form("users")



ldapuser="LDAP://" & userid & "," & srccontainer

Set dcon=GetObject("LDAP://OU=NoInternet,OU=HS-Users,OU=High School,OU=Campuses,DC=FISD,DC=org")

dcon.MoveHere ldapuser, userid
Response.write userid & " account moved."
Set dcon = Nothing


Next

%>

 

[almoes]

Hi,

I am trying to run this code on an asp file but get an error.


function exeQuery(queryStr) {

try
{var oConn = new ActiveXObject("ADODB.Connection");}
catch(err)
{Response.write("Err: " + err.number.toString(16) + " desc: " + err.description);}
try
{oConn.Open (cst);}
catch(err)
{Response.write("Err: " + err.number.toString(16) + " desc: " + err.description);}
try
{oConn.Execute(queryStr);}
catch(err)
{Response.write("Err: " + err.number.toString(16) + " desc: " + err.description);}

try
{oConn.Close();}
catch(err)
{Response.write("Err: " + err.number.toString(16) + " desc: " + err.description);}
}

var cst="Provider=ADSDSOObject;User ID=Directory Manager;Password=pwd;"

var str="SELECT cn FROM 'LDAP://172.17.17.115:8404/o=mydomain.com' WHERE objectClass='User'";

I get 'Table does not exist' error. Its not an Active Directory server, but this string should work doesn't it?
thanxs.
alej


exeQuery(str);

 

[almoes]

Now I tried the example from

http://www.4guysfromrolla.com/webtech/041800-1.shtml.

Its possible to connect and it retrieves the info because I can count the records, however if I use the loop from the example to print the field, I get the following error:

Multiple-step OLE DB operation generated errors. Check each OLE DB status value, if available. No work was done.

Any ideas?? thanxs.
alej

 

[extremadura]

I wrote this piece of code on a w2k server with IWA on
and am getting results.However my qn is I have to specify
the field names to be retreived.Many of them are commonly known like ADSPath,MAIL, the sapcostcenter is probably something of a custom attribute.Is there a way in the query that I can supply and get the field collection and use some sort of upperbound controls(enumeration) like recordset.fields("0").Name like wise.Our AD consists of a large number of fields and I am not getting results if I try UID,UserID which Ithink are quite valid attributes.

<HTML>
<HEAD>

</HEAD>
<BODY>

<% Response.Write("ASP" & " is available") %>

<%

Set objConnection = Server.CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"

Set objCommand = Server.CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection

Response.write "hello"
objCommand.CommandText ="<LDAP://ou=users,ou=BARTLESVILLE,dc=conoco,dc=net>;(objectClass=*);"&_
"ADSPath,MAIL,sapcostcenter,CN;subtree"



' Set search preferences.
objCommand.Properties("Page Size") = 5000
objCommand.Properties("Timeout") = 60 'seconds

Set objRecordSet = objCommand.Execute
Response.Write  "****************************************"& "<BR>"
While Not objRecordSet.EOF
 Response.Write  i & "&nbsp"
 Response.Write  "CN--"  &objRecordSet.Fields("CN")& "&nbsp"
  Response.Write  "SAP--"& objRecordSet.Fields("SAPCOSTCENTER")& "&nbsp"

 Response.Write  "<BR>"
 i =i+1
 objRecordSet.MoveNext
 Wend

 objConnection.Close

%>


Came back
</BODY>
</HTML>

 

[rescueswimmer]

Good thread guys!
in spaulding's last post it looks like he was connecting to AD in the ASP code just as he would in a straight vbscript - did you have success with this? when i tried, i got a 80072020 error - (couldn't really find anythin gon that one).
I'm trying to create security groups from information entered on a form.
any thoughts?

 

[RhythmAddict112]

Fantastic Thread.
I'm having a different sort of problem concerning querying my AD Server via ASP.
I'm in the process of moving an existing application from a SQL Server to Oracle. This also means that I am changing web server. The application queries our AD server, and works without issue. On the new server, this is not the case. I receive the following error:

Error Type:
Provider (0x80040E37)
Table does not exist.

As I mentioned the code is identical and works on the old server. My questions are basically, what could cause this error? What other items do I need to have in place in order to LDAP to work? I have a user account hard coded into my ASP code that I use to hit the AD server, what kind f privleges does that account need to have in order to retrieve information from the AD server? I have to assume that my problem lies in the applicatition configuration in IIS or with the user account I am using to query the server. Your help and suggestions are appreciated, thank you.

 

[appnair]

The query will work only on servers on which Integrated Windows authentication is turned on.Lot of references available how to do this in this area

objCommand.CommandText ="<LDAP://ou=users,ou=BARTLESVILLE,dc=conoco,dc=net>;(objectClass=*);"&_
"ADSPath,MAIL,sapcostcenter,CN;subtree"

Observe this I was running this from a computer
that was called powbd150.conoco.net on the Domain Component and querying for organizational users ,users and Bartlesville .This IIS 5 webserver had  had IWA on

This is the theory that makes it work I think.I am a novice.Also the ADSI interfaces need to be present as can be evidenced by theServer.CreateObject called.iI it is not there those lines will fail.I think since you are getting an error code that appears to have excuted the ADSI try a well known attribute like cn or something

Always acknowledge a fault. This will throw those in authority off their guard and give you an opportunity to commit more.
Mark Twain

appnair

 

[WillShakespeare]

I have to agree with RythmAddict... this is a good thread!

ANyway, I am new to using LDAP, but am in a critical situation where I NEED to do this. The situation is that I need to Query our Domain controller in our network, from a Web Server, and pass back from the DC (Win2K3) a single number which is a value which will be used by our web server for a bespoke app.
We are storing this number in the home-phone field in a newly created "client" AD object.
Now, I started on this thread and am trying zcolton's "works anywhere" script. Initially I got the unspecified error, and as I know my IIS and web server security inside out, I tried changing GC: to LDAP:
I made progress! However, the script stopped on line objDomain = GetObject (the RootDSE line), saying that the domain could not be found. So I entered the domain manually:
Set objDomain = GetObject ("LDAP://mydomain")

But then it gets stuck on the next line:
objADsPath = objDomain.Get("defaultNamingContext")

saying:
The_directory_property_cannot_be_found_in_the_cache

Now, admittedly I am testing this script on my workstation with IIS (so my workstation is the web server for now), which of course is on the network with the DC... could this be the trouble?

Can anyone help?

TIA,

Will

 

[zcolton]

Will,

It seems the machine hosting IIS to test your asp page can not access the domain. I'm assuming your machine is a domain member and you are logging onto the domain and not the local machine. If so, to test your script, save it has a vbscipt file and run it locally. Have the script display the data you want to retrieve in a message box. This may help you in test the script itself. When you know the script is functional, then try having it run in an asp page. Post your script here and I can take a look at it.

Zac

 

[netquestions]

I am kind of having the same IIS/ASP/Active Directory security issue.
I am looking at the initial posts of this thread and saw that IIS will not work with IIS integration.

Strange "IIS Integrated authentication" works for me but when i change IIS server date to one day after the Active Directory data, i am getting error

Provider error '80040e14'
Table does not exist

Not sure why is this happening ? IIS server is domain member and i am logged in as domain member.

 

[zcolton]

... i change IIS server date to one day after the Active Directory data "


?????

Zac

 

[WillShakespeare]

Wow! It has been so long since last reply, I had moved on to other things!

I also got it working... originally I was thinking about security of my local machine as web server, and of the directory, etc., but then it dawned on me that the page's script was accessing the AD! After I realised this, I looked at using an account that had permission for AD (as you orignally stated, and I misread!), and voila! It all came together!

Thanks for all your help!

Will

 

[ebroo]

Hi all, I've been reading through this thread and as I attempt to implement somthing similar to what everyone is posting about (Win2k3 environment trying to do a simple ASP page to query Active Directory) I keep running into error '8007007f' -

For example: (as posted by zcoltan I believe)

<%@ Language=VBScript %>
<%
Option Explicit
Dim con,rs,Com,objADsPath,objDomain
%>
<html>
<head>
</head>
<body bgcolor="#CCCCCC">
<%
Set objDomain = GetObject ("GC://RootDSE")
objADsPath = objDomain.Get("defaultNamingContext")
Set objDomain = Nothing
Set con = Server.CreateObject("ADODB.Connection")
con.provider ="ADsDSOObject"
con.open "Active Directory Provider"
Set Com = CreateObject("ADODB.Command")
Set Com.ActiveConnection = con
Com.CommandText ="select department from 'GC://"+objADsPath+"' WHERE department ='*'"
Set rs = Com.Execute

Do While Not rs.EOF Or rs.BOF

Response.Write rs("department") & "<BR>"

rs.MoveNext
Loop
rs.Close

con.Close
Set rs = Nothing
Set con = Nothing
%>
</body>
</html>

This results in an error such as:

error '8007007f'
/2/7.asp, line 16


Any thoughts appreciated!

Edward
ebroo@phillips.com

 

[spaulding]

When I started this thread, I had run into that error and what little information I could find on the net said to try upgrading to MDAC version 2.8. You might give that a shot.

 

[zcolton]

I agree with spaulding

 

[ebroo]

First think I tried

 

[asapjim]

Hi, I have a number of web pages that have been using LDAP to check if a user was a member of particular group. This was working until our network admin upgraded the domain controller to Windows 2003. Now I am getting an error when I try to create an ADODB connection. Following is the implementation up to the point of failure. Any ideas?? Any help would be greatly appreciated as this is a production site and a number of my users are being blocked from a number of functions.

Set oRootDSE = GetObject("LDAP://RootDSE")

sDomainADsPath = "LDAP://" & oRootDSE.Get("defaultNamingContext")
Set oRootDSE = Nothing

Set oCon = Server.CreateObject("ADODB.Connection")
if oCon is nothing then
response.write "failed to create the connection object"
response.end
end if

oCon.Provider = "ADsDSOObject"

if err.number <> 0 then
response.write "error setting provider <br>"
response.write err.number
response.write err.description
response.end
'the error that I am getting is 424 Object required
end if

 

[toadlife]

I am trying something similar, only my IIS webserver is not a member of the domain I am trying to query. Joining the webserver to the domain is not an option, as it would open would be a serious security problem.

Using the scripts posted here, I cannot get anything to work.

Here is a script that I am using to try and access my AD:

<%@ Language=VBScript %>
<%
Option Explicit
response.buffer = true
Dim con,rs,Com,objADsPath,objDomain,objADOU,intUAC
%>
<html>
<head>
</head>
<%
 Set objDomain = GetObject ("LDAP://coadc02.whccd.com")
 objADsPath = "dc=whccd,dc=com"
 Set objDomain = Nothing
 Set con = Server.CreateObject("ADODB.Connection")
 con.provider ="ADsDSOObject"
 con.open "Active Directory Provider"
 Set Com = CreateObject("ADODB.Command")
 Set Com.ActiveConnection = con
 Com.CommandText ="select name from 'LDAP://dc=whccd,dc=com'"
 Set rs = Com.Execute
 While not rs.eof
    response.write rs.fields("name") &"<br>"
 rs.movenext
Wend
 rs.close
 set rs=nothing
 con.close
 set con=nothing
%>
</body>
</html>

I have IIS6 setup to use a local account named "domainquery" and have created a domain account called "domainquery" - both with the same password, hoping that this would allow IIS to query our AD.'
'
With the above page, I get the error:

Provider error '80040e37'

Table does not exist.

/login/index.asp, line 20